OVERVIEW

Lake Forest College has an obligation to comply with various regulations which require it to create effective administrative, technical, and physical safeguards to protect personal information. Failure to protect this information – or the electronic resources it typically resides in – could have financial, legal, and ethical ramifications. Mitigating risks to Lake Forest College operations preserves the ability of the College to perform its mission and meet its responsibilities to students, faculty, staff, and the community it serves. Additionally, many government regulations and granting agencies already require a higher level of security to safeguard government information included in research and university projects. In the future, many of these sponsors will not accept grant applications from institutions that do not meet these higher standards of data security. As such, the College acknowledges its obligation to implement appropriate security mechanisms for information systems in its domain of ownership and control.

To meet these obligations, the College is publishing this Information Security Policy (hereafter the “Policy”) and has established an associated internal Comprehensive Information Security Program (hereafter “Program”) to guide these endeavors. The Policy covers all forms of Personal Information (hereafter “PI”) whether it is maintained digitally, on paper, or other media. Such information may be called Confidential Personal Information (CPI), Personally Identifiable Information (PII), Non-public Financial Information (NFI), or Personal Health Information (PHI) by various regulatory acts or information security frameworks, but the general concept is the same. As the nature of the work is complex and the scope of the project extensive, the Program will be implemented through an Information Security Plan (hereafter “Plan”) in a phased approach.

In formulating and implementing the Program, the College’s objectives are to:

• Identify reasonably foreseeable internal and external risks to the confidentiality and/or integrity of any electronic, paper, or other records containing personal information;
• Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of the personal information;
• Evaluate the sufficiency of existing policies, procedures, information systems, internal controls and security practices, in addition to other safeguards in place to control risks;
• Design and implement a plan that puts safeguards in place to minimize those risks, consistent with the requirements of federal regulatory acts and Illinois state laws; and
• Periodically monitor the effectiveness of those safeguards and adjust them as necessary

1. PURPOSE

Lake Forest College is committed to protecting the confidentiality, integrity, and availability of all sensitive data that it accesses, collects, distributes, processes, stores, uses, transmits, disposes of, or otherwise handles. The College has implemented multiple policies to protect such information, and this Policy should be read in conjunction with these other policies that are linked at the end of this document. The Program and Plan are aligned with security best practices recommended in widely adopted cybersecurity frameworks and associated publications:

• National Institute for Standards and Technology (NIST) CyberSecurity Framework (CSF) and other NIST publications;
• The Cybersecurity Performance Goals (CPGs) published the federal Cybersecurity and Infrastructure Security Agency (CISA);
• The CIS Critical Security Controls (v8);
• The Federal Trade Commissionpublication on protecting personal information;
• With additional materials available to members of the EDUCAUSEHigher Education Information Security Council.

The specific goals in publishing this Policy are to:

• Describe how Lake Forest College complies with the Gramm-Leach-Bliley Act ("GLBA") Safeguards Rule and other federal and state laws and regulations;
• Identify baseline security standards for Lake Forest College;
• Detail administrative, technical, and physical safeguards being implemented to protect systems and data maintained by the College;
• Establish procedures which align with current Information Security best practices
• Ensure clear communication of information security policies and standards;
• Communicate how Information Technology Services (ITS) will identify and mitigate information security risks to the College; and
• Assign responsibility for the security of departmental, administrative, and other critical Lake Forest College e-resources.

2. SCOPE

This Policy applies to all Lake Forest College employees, whether full- or part-time, including faculty, staff, contracted and temporary workers, hired consultants, interns, and student employees, as well as to all other members of the College community (hereafter the “Community”). The Policy also applies to contracted third-party vendors.

This policy refers to all college hardware, software, applications, and services (henceforth “e-resources”, defined in more detail in the Acceptable use of E-Resources Policy,whether individually controlled or shared, stand-alone or networked. It applies to all computer and communication facilities owned, leased, operated, or contracted by the College. This includes all networked devices, including but not limited to desktop and portable computers, mobile devices (tablets, phones, etc.), any personal devices which users handle PI with, shared lab workstations, instructional systems, other wireless devices, and any associated peripherals and software, regardless of whether used for administration, research, teaching, or other purposes.

For the purposes of this Policy, "Personal Information" is defined by the State of Illinois in the Personal Information Protection Act (815 ILCS 530/) as:
“(1) An individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the name or data elements have been acquired without authorization through the breach of security:
(A) Social Security number.
(B) Driver's license number or State identification card number.
(C) Account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account.
(D) Medical information.
(E) Health insurance information.
(F) Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee to authenticate an individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.
(2) User name or email address, in combination with a password or security question and answer that would permit access to an online account, when either the user name or email address or password or security question and answer are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the data elements have been obtained through the breach of security.
"Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.”

The definition of PI under GLBA is slightly different and can be found here: https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314.

Examples of Personal Information which may directly – or in combination with other pieces of data – reveal a person’s identity include but are not limited to:

The Policy is not intended to supersede any existing Lake Forest College policy that contains more specific requirements for safeguarding certain types of data, except in the case of PI as defined above. If such a policy exists and it conflicts with the requirements of the Information Security Policy, the other policy takes precedence.

3. RISK ASSESSMENT & MANAGEMENT

3.1 Risk Assessments: Lake Forest College’s risk assessment methodology is guided by the principles outlined in NIST Special Publication 800-30 to ensure a thorough and systematic evaluation of both internal and external risks. This methodology establishes a structured approach for identifying, analyzing, and prioritizing risks to the security, integrity, and confidentiality of College information, particularly GLBA-regulated Covered Data. These risks include, but are not limited to:

• Unauthorized access of confidential data;
• Compromised system security following unauthorized access;
• Interception of data during transmission;
• Loss of data integrity;
• Physical loss of data in a disaster;
• Errors introduced into systems;
• Corruption of data or systems;
• Unauthorized access of confidential data by employees;
• Unauthorized requests for confidential data;
• Unauthorized access through hard copy files or reports;
• Unauthorized transfer of confidential data through third parties; and
• Employee compliance with security training and security policies and standards

The College maintains an ongoing process of risk analysis and evaluation to identify and assess foreseeable internal and external risks to institutional data and systems. This process utilizes a standardized risk scoring methodology and evaluates the adequacy of existing security controls to safeguard College systems and data. All identified risks will be documented in an Information Security Risk Register, where they will be assessed based on probability and impact on a scale of 1 to 5. Significant findings from annual reviews, penetration testing, and other periodic assessments will also be recorded in the Information Security Risk Register to ensure a comprehensive history of identified risks and remediation actions. The total risk score, calculated as the product of these two factors, will categorize risks as follows:

• Critical (20-25)
• High (12-16)
• Medium (6-10)
• Low (1-5)

Work on risks with higher scores will be prioritized over those with lower scores to ensure prompt mitigation of the most severe risks. Critical risks shall be prioritized for remediation or mitigation within 60 days, and High risks within 180 days. Risks rated Medium or Low will be addressed as the Vice President for Information Technology and Chief Information Officer (VPIT/CIO) or Information Security Manager (ISM) deems appropriate, dependent upon other work priorities and available resources. Risk acceptance may occur only if it is demonstrated that the cost of mitigation is prohibitive and compensating controls sufficiently reduce the impact. The ISM will document all identified risks in the College's Information Security Risk Register. Risk assessments shall be updated regularly to evaluate the sufficiency of elements of the Program to meet the current and foreseeable threats to College data and systems.

3.2 Risk Management: To successfully manage risk for Lake Forest College, senior leadership must be committed to making information security an underlying principle of operating the College to protect the institution and its community. This top-level commitment ensures that sufficient resources are available to develop and implement an effective, institution-wide security program. Effectively managing information security risk requires the following key elements:

• Assignment of risk management responsibilities to appropriate senior leadership;
• Ongoing recognition and understanding by senior leadership and IT Governance of the information security risks to Lake Forest College information assets, operations, and personnel;
• Establishment of the tolerance for risk and communicating the risk tolerance throughout the organization, including guidance on how risk tolerance impacts ongoing decision-making activities;
• Providing accountability for senior leadership for their risk management decisions; and
• Ongoing assessments of internal and external risks, tracked in the Information Security Risk Register.

The ISM, upon consultation with the VPIT/CIO, is responsible for implementing updates to the information security program based on identified risks, evolving threats, or significant changes in College operations.

3.3 Risk Remediation or Acceptance: As the Risk Register is updated with newly identified risks, risk scores are calculated by analyzing the impact of each risk and the likelihood of its occurrence, and then prioritized by the immediacy of the risk. The ISM shall maintain the Risk Register and advise the VPIT/CIO of additions, who in consultation with the Executive Leadership Team may choose to accept risks, assign risks to other owners, or select methods and schedules for their remediation. Some risks may be accepted due to the finite resources of the College and the cost or scope of potential remediation. Where likelihood or immediacy of risks are unclear, the ISM and/or VPIT/CIO shall consult subject matter experts as needed.

3.4 Third-party Risk: All third-party service providers shall be subject to a security risk review prior to entering into an agreement and on a regular basis afterward. The ISM and/or VPIT/CIO will review the security controls that the Third Party has in place to ensure its standards, policies, and practices are consistent with applicable state and federal regulations and Lake Forest College policies. Vendors who either refuse to disclose security controls and practices or otherwise indicate a lack of consistent safeguards for IT risk management shall be barred from accessing, storing, processing, or otherwise handling College protected data. Compliance with reasonable security controls will be mandated through contractual requirements. Vendor reviews shall be performed using the Higher Education Community Vendor Assessment Toolkit (HECVAT) developed by EDUCAUSE. Any vendors that handle PI under our data classification policy will be required to fill out the full assessment. Vendors handling less sensitive data may use the shorter version of the assessment. Additionally, the College shall enforce the following Vendor Management policies:

3.4.1 Supply Chain Risk Management: The College shall develop a matrix of requirements to assess and score 3rd- and 4th-Party Risks, which shall be included in the Risk Register.

3.4.2 Technology Adoption/Acquisition: All technology hardware and software under consideration for use at the College shall be reviewed and approved by ITS prior to purchasing, adopting, or otherwise committing to a method of acquisition, per the Technology Procurement & Vendor Management Policy. In short, such reviews shall consist of:

• A thorough review for technical compatibility
• A review of the technology’s technical and administrative risks; and
• An analysis of any impact to the College’s regulatory compliance requirements

3.4.3 Service Provider Oversight Methods: Whenever the College retains a service provider that will maintain, process, or have access to PI or other confidential data, the College will ensure that the provider has in place an information security program sufficient to protect it. The College will include in the contracts with service providers having access to confidential data a provision requiring the providers to have in place security measures consistent with the requirements of Illinois Law and regulations thereto and to assure that such data is used only for the purposes set forth in the contract.

4. ROLES AND RESPONSIBILITIES

Every user of Lake Forest College e-resources has a general responsibility to protect College assets, while some offices and individuals have specific responsibilities:

Executive Leadership Team (also, Senior Leadership Team: Responsible for making a final review and approval of this policy. Comprised of the President and the members of the Senior Leadership Team.

Executive Response Team: Responsible for determining the level of incident response needed during an incident. Comprised of the VPIT/CIO and other members of the Senior Leadership Team as determined by the President.

Vice President for Information Technology and Chief Information Officer (VPIT/CIO): Responsible for Information Technology Services (ITS) and the overall operations and security of the e-resources and data it manages. The VPIT/CIO is responsible for the creation, maintenance, and regular review of this and other policies prior to final approval by Executive Leadership team. The VPIT/CIO must also report all compliance-related activities pertaining to this policy to the Executive Leadership team.

Information Security Manager (ISM): Reporting to the Vice President for Information Technology and Chief Information Officer (VPIT/CIO), has the principal obligation for Information Security. Develops and – in partnership with the VPIT/CIO – implements procedures and standards to meet security requirements outlined in this policy. The ISM must report all matters pertaining to compliance with this policy to the VPIT/CIO or other designated IT Governance bodies. The ISM is responsible for the development of the Program and executes the Plan.

College Services: Various officers within the college have the primary responsibility and authority to ensure Lake Forest College meets external and internal requirements for intellectual property, research and institutional data, and the privacy and security of confidential and business information. Multiple departments are responsible for general security issues (legal issues, security compliance, physical security, communications, and ITS infrastructure security). These individuals or departments are responsible for assisting in the development of college information security policies, standards, and best practices in their areas of responsibility. They are also responsible for advising departments and individuals in security practices related to areas they oversee, as follows:

• Personnel information and confidentiality - Human Resources
• Student information and confidentiality - Registrar’s Office
• Financial information and transactions - Finance and Administration
• Financial aid information – Financial Aid
• Perkins Loan information – Student Accounts
• Infrastructure, communication, and systems security and audit - ITS
• Legal Issues – Finance, for engaging legal counsel service
• Health information – Campus Life
• Alumni, parent, and donor information - Advancement Office

Departments and Other Units: Departments and other units are responsible for the security of any information they create, manage, or store, and for any information they acquire or access from other college systems (i.e., student records, personnel records, business information).

Employees: All Lake Forest College employees, including contract and temporary workers, hired consultants, interns, student employees, and others granted access to and the use of College data and systems are expected to understand the data classification levels defined in this policy, classify data appropriately for which they are responsible, access data only as needed to meet legitimate business needs, and not divulge, copy, release, sell, loan, alter, or destroy any College data without a valid business purpose and/or authorization.

Product Owner: Every information technology system, application, server, or other service used at Lake Forest College (hereafter “IT Service”) must have a designated Product Owner, a named individual maintained on file in Information Technology Services. This individual is responsible for ensuring that each such IT Service complies with this policy, and the Product Owner must report any discovered non-compliance or possible security events promptly to the Information Security Manager. Product Owner designations are determined at the Vice President or division head level, and VPs/division heads must promptly name a new Product Owner upon reassignment or the departure of a Product Owner from Lake Forest College employment. All information and data at Lake Forest College, including that which is stored, processed, or transmitted by IT Services, is subject to the Data Protection Policy (see section 6.) Product Owners are responsible for ensuring their IT Services are compliant with the Data Protection Policy. For student-developed IT Services in use at the College, a student may be the Product Owner under the supervision of an authorized faculty or staff member, but the faculty or staff member or relevant department or division must name a Product Owner upon the student’s graduation or termination of enrollment from Lake Forest College. The supervising faculty or staff member will become the Product Owner by default if a new Product Owner is not named.

Note: The security of applications and data administered by departments and individuals outside of ITS is the responsibility of the administering department. ITS staff will provide advice and support for implementing security measures when requested.

5. SECURITY STANDARDS POLICIES

5.1 Accounts, Authentication, and Authorization Policy: This section defines required account management and access control standards for all College IT systems and applications to protect the privacy, security, and confidentiality of College e-resources and confidential data.

5.1.1 Accounts (Identification): Lake Forest College provides computing accounts (UserIDs) for persons who have a current or future official status with the college that requires the use of computing resources. Information Technology Services is responsible for managing employee and student access to applications, servers, network, and telecommunication resources including but not limited to Microsoft Office 365, My.LakeForest, Moodle, Panopto, PaperCut, and the College administration system. Lake Forest College user credentials providing access to email and other general-purpose applications and services shall be provisioned and terminated as detailed in the Eligibility for Accounts Policy.

Additional access to College systems containing PI or other confidential data will be provided on an as-needed basis, based on job function, department, division, or duties, and are subject to regular monitoring to ensure PI is being handled appropriately.

5.1.2 Authentication: Authentication is a process by which users, processes, or services provide proof of their identity. Lake Forest College IT systems shall require strong, complex, and unique passwords reinforced by the use of Multi-Factor Authentication (MFA) whenever technically possible.

• Passwords: Passwords to Lake Forest College systems, services, and applications shall be robust, non-default, and changed when ITS staff has reason to believe a password has been reused or there is evidence a password has been stolen, exposed, or otherwise compromised. More specifics are contained in the Lake Forest College Password Policy, published separately to promote convenient access.
• MFA: Multi-Factor Authentication (MFA), also known as 2-Factor Authentication, enhances security by combining two elements from three categories: something you know (a password or PIN), something you have (a hardware token or mobile device), and something you are (e.g., biometric data, such as a fingerprint or retina scan.) By utilizing two or more factors from these categories, MFA provides the College with a reliable means of verifying user identity, thereby securing College e-resources and ensuring that only authorized users access College data. All members of the College community, including third-party vendors, are required to use MFA to access and interact with Lake Forest College e-resources in compliance with this policy. ITS may adjust the available MFA methods over time, introducing new options or retiring methods that no longer meet security standards, in response to emerging threats and advancements in authentication technologies. For users who are unable to use ITS-accepted MFA methods (example: Microsoft Authenticator on a mobile device) alternative methods like FIDO2 U2F hardware tokens will be considered on a case-by-case basis by the ISM or VPIT/CIO. Hardware tokens will be granted solely in exceptional circumstances, such as the lack of a compatible mobile device.
• Single Sign-On (SSO): All Lake Forest College IT Services including third-party services provided by vendors are expected to utilize the College’s authorized single-sign on (SSO) solution which leverages adaptive MFA. Any exceptions to this policy must be approved by the VPIT/CIO and may not handle PI or other Covered Data protected by regulatory acts (such as GLBA) without the implementation of strong compensating controls approved by the ISM.

5.1.3 Authorization: Lake Forest College IT systems shall be governed by the following standards for authorization to perform actions on College e-resources:

• Access Controls: Access to College systems and data will be governed by role-based access controls (RBAC), ensuring that access is granted only to users based on their job function.
• Principle of Least Privilege: Users will be restricted to the minimum access necessary to fulfill their duties, and access will be regularly reviewed to ensure appropriateness.
• Separation of Privileges: When Privileged Access is necessary to complete administration duties of an IT systems, separate accounts must be used. For example, Active Directory domain administrator privileges shall not be assigned to the same account that the employee uses for general use of their computer, email, web browsing, etc. As soon as the phased approach of the Plan allows, the College shall adopt the use of Privileged Administrative Workstation (PAW) virtual machines, to complete tasks requiring elevated privileges.
• Changes of Authorization: Privileges assigned to each individual must be reviewed and either modified or revoked upon a change in status with the College. (e.g., due to a change in role or responsibilities, termination of employment, withdrawal, or completion of degree-seeking activities), access to Lake Forest College e-resources must be adjusted accordingly. For employees, it is the responsibility of Human Resources to notify ITS of the change in role or status.

5.2 Access Controls Audit Policy: A comprehensive review of all access controls will be conducted annually to ensure that users retain only the necessary access to customer information. In addition, access controls will be reviewed after significant system changes, personnel changes, or security incidents to ensure that permissions remain aligned with operational needs and security requirements.

5.3 Encryption Policy: The College shall always use sufficiently robust encryption to protect confidential data in use, in transit, and at rest. Encryption methods used by the College shall be reviewed annually to ensure they remain sufficiently protective against evolving threats. If encryption methods are found insufficient, compensating controls must be implemented with an immediacy pursuant to the sensitivity of the data being secured. The College shall use NIST-approved encryption wherever technically feasible, such as AES-256 for data at rest and TLS 1.2+ for data in transit. When sufficiently protective encryption is deemed infeasible, alternative compensating controls must be reviewed and approved in writing by the Qualified Individual prior to implementation.

5.4 Physical Access Controls: The College is committed to safeguarding both IT and non-IT resources by implementing physical access controls for areas housing sensitive data and critical infrastructure. These controls aim to restrict unauthorized access to locations such as data centers, server rooms, file storage areas, and other secure zones. Key measures should include as many of the following as feasible:

5.4.1 Restricted Entry: Access to sensitive areas shall be restricted to authorized personnel only, based on job responsibilities.

5.4.2 Access Logging: Where feasible, access to sensitive areas should be logged, either through electronic systems or manually, to track entry and exit activity. ITS recommends that logs be retained for a minimum of six months.

5.4.3 Video Monitoring: As feasible under the College’s limited resources, secure areas should be configured with video surveillance or other security measures to detect and deter unauthorized access.

5.4.4 Key and Badge Management: The College expects physical keys, badges, electronic door strikes, and other access devices to be issued and managed by Public Safety and Facilities Management divisions, with consultation provided by ITS when appropriate. Lost or compromised access devices must be reported immediately and appropriate actions should be taken to revoke and reissue access.

5.4.5 Visitor Management: Visitors requiring access to sensitive areas must be accompanied by authorized personnel.

Review and Compliance: Physical access controls will be reviewed annually as part of the College’s security assessment process. Compliance with these controls shall be monitored Facilities Management, Public Safety, or ITS (depending on the access control system) to ensure that physical security measures align with the overall Information Security Program.

5.5 Continuous Monitoring Policy: The Lake Forest College network environment and other e-resources shall be continuously monitored for threat actor footholds, malicious software, probing for vulnerabilities, and other security risks through log auditing as follows:

5.5.1 Endpoints: Endpoint devices shall have their system and activity logs forwarded to a Security Information and Event Manager (SIEM) or comparable solution for analysis.

5.5.2 Servers: Server access logs shall also be monitored by the College SIEM (or equivalent) for unauthorized access or activity, and additionally shall be scanned weekly for security vulnerabilities. Software with major vulnerabilities which cannot be patched, effectively remediated, or otherwise secured shall be considered “legacy” and all efforts to retire or replace the platform should be undertaken as soon as possible.

5.5.3 Network: The College shall utilize a Next-Generation Firewall (NGFW), and as soon as feasible under the phased approach of the Plan, additionally employ a Network Detection & Response (NDR) or equivalent tool to monitor for and detect suspicious activity on the network.

5.5.4 IoT Devices: IoT devices shall be avoided whenever possible. When an IoT device is deemed necessary, it shall be placed in a sequestered portion of the network, and continuously monitored to identify abnormal traffic and emergent threats.

5.5.5 Automated Logging & Analysis: As much as technically possible, logs from all networked IT devices should be monitored by the College SIEM and have automated analytics performed to detect unusual activity.

5.5.6 Human Review of Surfaced Anomalies: Once automated behavior analytics have identified a potentially suspicious event, it shall be reviewed by a human analyst to determine if additional actions need to be taken to respond to a potential threat.

Adjustments to technical and administrative safeguards will be evaluated following any significant operational changes, regulatory updates, or external events impacting the College’s security posture.

5.6 Network Segmentation and Limited Access Policy: As soon as feasible under the phased approach of the Plan, the College network shall be segmented, and Access Control Lists (or an equivalent solution) employed to limit network traffic to proper work, study, and research activities. Network management traffic shall be limited to its own virtual local area network (VLAN), as shall network security functions, such as firewalls, intrusion detection and/or prevention systems (IDS/IPS), log management, and Identity Access & Management (IAM) solutions. Personally owned or “BYOD” computing devices that lack ITS-managed security controls shall be placed in dedicated VLANs for those devices and have limited access to internal resources. Servers shall also be placed in their own dedicated VLAN and traffic to and from servers shall be inspected to ensure the authorization and appropriateness of connections and activities.

5.7 Identity Access & Management Policy: The College has implemented Privilege and Identity Management (PIM) and Privileged Access & Management (PAM) tools with its Identity Provider (IdP) to provide centralized identity and access management. These solutions offer foundational support for verifying the identity and eligibility of individuals seeking to access and use College IT resources and assign permissions to e-resources based on roles defined in administrative and/or HR systems (also known as Role-Based Access Controls or RBAC.) While these tools are utilizing baseline configurations established by the IdP, as soon as possible under the phased approach of the Information Security Plan, the College intends to expand and customize these features to establish a more streamlined and reliable central identity and authentication system. Planned enhancements include improving provisioning and deprovisioning processes and controls and developing additional auditing capabilities to strengthen compliance efforts around data access and usage.

5.8 Penetration Testing Policy: The College shall perform penetration testing on its information systems annually to maintain compliance with regulatory acts and identify weaknesses in the institution’s security posture. Discoveries of vulnerabilities shall be evaluated and remediated through the development of more effective security controls as determined by the ISM and/or the VPIT/CIO.

5.9 Vulnerability Management Policy: The College shall continually employ vulnerability assessment and management tools to discover and address vulnerabilities present in College e-resources. Reports shall be reviewed by the ISM or their designated party on a no less than monthly basis.

5.9.1 Remediation Schedule: Vulnerabilities shall be addressed by severity and deployed as follows:

• Critical Severity: within 90 days
• High Severity: within 180 days
• Moderate and Low Severity: at the discretion of the VPIT/CIO & ISM, as resources allow

5.9.2 Responsibility for Remediation: Product Owners are responsible for reviewing reports from deployed vulnerability assessment tools on a weekly basis and applying patches or updates to remediate identified vulnerabilities on their systems and/or applications as described in the Remediation Schedule.

5.9.3 Compensating Controls: When vendors do not promptly issue a patch, or an issued patch is problematic for technical or administrative reasons, the ISM may determine that compensating or mitigating controls may be an acceptable alternative. Such controls shall be implemented on the same Remediation Schedule. If a Product Owner independently develops a compensating control, it must be approved by the ISM or the VPIT/CIO.

5.9.4 Patch Audits: Product owners must have a written and auditable procedure addressing remediation steps.

5.10 Web Application Security Policy: Web application security assessments must be performed to identify potential or realized weaknesses (e.g., insecure coding, inadvertent misconfiguration, weak authentication, insufficient error handling, sensitive information leakage) per the Vulnerability Management Policy (see previous section, 5.9.)

• Web applications must follow regular security or out-of-band assessments if one of the following criteria are met:
  • New or significant application releases should be subject to a Secure Software Development Life Cycle review prior to approval of the change control documentation or release into the live environment.
  • Third-party or acquired web applications (i.e., commercial applications for which source code is not available) must be scanned when installed or upgraded. The vulnerabilities must be reported to the ISM for recording in the Risk Register and to the vendor for correction.
• Shared accounts are prohibited, except where it is not technically possible to individually provision accounts.
• All Internet-facing web applications should be protected by appropriate technical controls (e.g., Web Application Firewall (WAF) or Intrusion Prevention System (IPS)).
• Other security controls include but are not limited to, the following:
  • Access controls,
  • Configuration changes,
  • Authentication (MFA must be used for except where it is not technically possible),
  • Data protection (e.g., encryption, data masking),
  • Error handling and logging,
  • Input and output handling, and
  • Session management.

5.11 Application Development and Secure Coding Policy: Secure development practices will be established, implemented, and documented for all in-house applications that access, store, transmit, process, or otherwise handle confidential data. The Chief Information Officer in consultation with the Director of Enterprise Systems shall ensure these controls are applied to all stages of the development life cycle, including secure testing and ongoing monitoring of application security. Additionally:

• Secure Coding guidelines from the Open Web Application Security Project (or equivalent) shall be followed.
• Test environments shall be separate from the production environment.
• A risk assessment will be performed prior to production for all in-house applications that will store, access, create, and/or transmit confidential or protected information.
• Authentication credentials for College e-resources shall not be coded into programs or queries unless they are encrypted, and only when no other reasonable options exist, and must be rotated annually. A security policy exception request is required to code authentication credentials into programs or queries if unencrypted.

6. DATA PROTECTION POLICY

The purpose of this policy is to protect the information resources of the College from unauthorized access or damage. The requirement to safeguard information resources must be balanced with the need to support the pursuit of legitimate academic objectives. The value of data as an institutional resource increases through its widespread and appropriate use; its value diminishes through misuse, misinterpretation, or unnecessary restrictions to its access. All College data shall be classified into levels of sensitivity to provide a basis for understanding and managing it. Accurate classification provides the basis to apply an appropriate level of security to college data. These classifications of data consider the legal protections (by statute, regulation, or by the data subject’s choice), contractual agreements, ethical considerations, or strategic or proprietary worth. Data may also be classified under the guise of “prudent stewardship”, where there is no reason to protect the data other than to reduce the possibility of harm or embarrassment to individuals or to the institution. Henceforth, any data classified as either Sensitive or Restricted may be collectively referred to as “Confidential.”

6.1 Data Classification Policy:

• Public (low level of sensitivity): Access to “Public” institutional data may be granted to any requester. Public data is not considered confidential. Examples of Public data include published directory information and academic course descriptions. The integrity of Public data must be protected, and the appropriate owner or manager must authorize replication of the data. Even when data is considered Public, it cannot be released (copied or replicated) without appropriate approvals.
• Sensitive (moderate level of sensitivity): Access to “Sensitive” data must be requested from, and authorized by, a Data Steward responsible for it. Data may be accessed by employees as part of their job responsibilities. The integrity of this data is of primary importance, and the confidentiality of this data must be protected. Examples of Sensitive data include purchasing data, financial transactions that do not include restricted data, information covered by non-disclosure agreements and Library transactions. By default, all non-public Lake Forest College data will be designated "Sensitive" at a minimum.
• Restricted (highest level of sensitivity): Access to “Restricted” data must be controlled from creation to destruction and will be granted only to those persons affiliated with the College who require such access in order to perform their job, or to those individuals permitted by law. The confidentiality of data is of primary importance, although the integrity of the data must also be ensured. Access to restricted data must be requested from, and authorized by, the Data Steward responsible for the data. Restricted data includes information protected by law or regulation whose improper use or disclosure could:
  • Adversely affect the ability of the college to accomplish its mission
  • Lead to the possibility of identity theft by release of personally identifiable information of college constituents
  • Put the college into a state of non-compliance with various state and federal regulations such as FERPA, HIPAA, and GLBA
  • Put the college into a state of non-compliance with contractual obligations such as PCI DSS

The specification of data as restricted should include reference to the legal or externally imposed constraint that requires the restriction, the categories of users typically given access to the data, and under what conditions or restrictions access is typically given. Examples of Restricted data include social security numbers, student registration, grades, financial aid data and bank account numbers.

6.2 Data Backup & Retention Policy: Data that is important to the operations of the College should be backed up to at least two locations to protect against loss of use. One backup should reside offsite to protect against natural disasters. Data backups should periodically be tested for validity, and at least one copy of critical data should be air-gapped and/or immutable so it cannot be modified until it has reached its expiration date. Backups of Restricted data shall use a solution that provides encryption in transit and at rest. College backups maintained by ITS shall be retained for a period of no less than 6 months.

6.3 Data Expiration Policy: All PI should generally be retained only as long as necessary, except under the following circumstances:

• Compliance with state or federal law;
• The College’s legitimate business purposes; or
• Technical limitations of a vendor’s software that make the expiration of specific data fields impractical or unfeasible.

In all other cases, the College expects PI – particularly Covered Data subject to GLBA regulations – to be securely disposed of within two years of its last use. Any exceptions for the reasons listed above must be approved by a member of senior leadership and documented by the ISM. Each department that stores PI is expected to conduct an annual review of retained data to determine which information may be purged.

6.4 Secure Data Storage Policy:

• Employees are not permitted to transport PI electronically on portable storage devices (e.g. USB flash drives, external hard drives, etc.) unless the transported data is encrypted;
• PI and other confidential data must not be stored on cloud-based storage solutions that are unsupported by Lake Forest College;
• Employees must lock rooms or file cabinets where records containing PI are kept;
• Employees must secure paper files containing PI in their work area when they are not present;
• Mobile computing devices such as laptops, tablets, or phones which can access, process, store, or otherwise handle PI or other confidential data must be stored in a secure place when not in use or personally attended;
• Upon separation of an employment relationship with Lake Forest College, the separated individual's electronic and physical access to documents, systems, or networks containing PI must be immediately terminated. Separated employees must return to Lake Forest College all records containing PI, in any form, in their possession at the time of separation. All keys, keycards, access devices, badges, company IDs, and the like, shall be surrendered at the time of separation.

6.5 Secure Transit Policy: Confidential data at the College shall always be protected in transit by adequate encryption (see section 5.3.) It is a violation of policy to transmit PI and other confidential information via unencrypted methods such as plaintext email or SMS text messaging. The requirements for transmitting College data classified as Restricted, Sensitive, or Public via email or other electronic methods are listed in the table below. The type of data dictates the method of transmission as per the Data Classification guidelines (see section 6.1.)

6.6 Data Disposal Policy: All college-owned computing devices capable of data storage must be properly sanitized according to industry standards for data disposal to ensure compliance with GLBA and other applicable data protection regulations. Disposal practices are designed to protect GLBA-regulated Covered Data and other confidential information and to meet software licensing agreements as outlined below. To ensure compliance with GLBA’s retention minimization requirements, the College shall conduct an annual review of data retention and disposal practices.

• Electronic Media: All electronic storage media, including hard drives, SSDs, USB drives, and similar devices, will be sanitized or destroyed before reuse or disposal. Sanitization must follow current industry standards and be verified by ITS. “Reuse” shall include any transfer of ownership, such as transitioning media to someone in your department with a different role, relinquishing media to another department, or replacing media as part of a lease agreement.
• Employee Responsibility: All College employees are responsible for securely disposing of storage media, such as malfunctioning USB drives or old storage devices struction procedures provided by ITS. Training on secure disposal methods is provided, and failure to follow these practices may result in corrective actions.
• Deans, directors, and department heads are responsible for returning all Lake Forest College-owned electronic devices and computer systems in their units to ITS for proper data disposal. This responsibility may be delegated as deemed appropriate.
• Paper documents containing PI or other confidential data shall be disposed of through shredding or an equivalent destructive process to ensure information cannot be reconstructed.
• Oversight and Verification: The ISM oversees the secure disposal policy and ensures that proper training materials and guidelines are available to employees. The ISM also performs periodic audits and reviews to verify compliance with disposal procedures and to address any issues identified.

7. MINIMUM ACCESS POLICY

Considering the escalating risks associated with ransomware attacks and other cybersecurity threats, it is imperative that all endpoint computing devices meet baseline security standards prior to connecting to the College’s network. While methods for securing computing devices may differ depending on their type and intended use, the objective is to ensure that all endpoints that connect to the College network are reasonably secured. To achieve this, computing devices must meet minimum security requirements outlined in this Minimum Access policy. Devices which will handle College data classified as sensitive will be required to meet a stricter set of requirements, while systems which will handle College data classified as restricted must meet the strictest requirements. College-owned devices which fail to meet the minimum access requirements outlined in this policy are prohibited from accessing, processing, storing, or otherwise handling confidential data, and as soon as feasible under the phased approach of the Plan, shall have access to all College systems containing confidential data limited or denied.

7.1 Exceptions: In some instances, exceptions to portions of this policy may be sought from the ISM, the VPIT/CIO, or their designees. Requests for such exceptions must be submitted in writing to the ISM and the VPIT/CIO, be supported by an employee’s department chair or equivalent, and await review. Exception requests must include the scope and duration of the exception, business justification, and for exceptions that are temporary, a committed remediation plan to achieve compliance. The ISM will review the request to ensure proper consideration has been given to the business needs and benefits and weighed against the security risk to the institution. Requests for policy exceptions must be submitted to and approved by the ISM or the VPIT/CIO prior to implementation of the requested exception. The exception request shall be reviewed by ITS and answered in writing within ten standard business days, presuming the owner of said device promptly answers any additional queries from ITS staff about the configuration or use of that device. Any devices granted exceptions shall be moved to a logically separate portion of the network with limited access to internal e-resources, or provided only with Internet access, as deemed appropriate by the ISM, the VPIT/CIO, or their designees as soon as the Plan’s phased approach shall allow.

7.1.1 Exceptions for Endpoints: Endpoint devices ultimately granted such exceptions may only handle sensitive data (see definition, section 6.1) as long as said data remains stored on College servers or cloud-hosted application platforms and not the local device. Compliance with the Policy may be assessed through the following hypothetical: if the user’s enterprise directory credentials were disabled by ITS, access to confidential College data must not remain possible. Endpoints granted exceptions to the Minimum Access policy may never access, use, store, or otherwise handle data classified as restricted.

7.1.2 Exceptions for Infrastructure: College infrastructure e-resources which provide services to endpoints (colloquially “servers”) are not bound by this policy and must instead meet different and more rigorous standards enforced internally within ITS. Additionally, devices used for research purposes may be subject to specific data protections (e.g., federal regulations, data use agreements, NDAs) that require exceeding the requirements identified within this Policy due to the sensitivity of the data associated with the device. All equipment classified as servers must be deployed, managed, maintained, and ultimately disposed of under the purview of ITS. It is a violation of this Policy to deploy a server in the Lake Forest College networked environment without prior approval from authorized ITS staff and meeting ITS requirements for adequately securing confidential data.

7.1.3 Exceptions for IoT Devices: An “Internet of Things” (IoT) device is defined by having an embedded operating system that does not support the installation of security agents such as antivirus and does not lend itself to frequent software updates. This can include devices such as printers, security cameras, smart speakers, smart lights, industrial controls such as HVAC sensors, smart TVs, video streaming devices, personal network attached storage devices, VOIP phones, conference room systems, and digital signage. IoT devices which cannot be securely managed by ITS through endpoint management solutions or other tools shall be placed into a logically separated portion of the College network where they shall have limited access to other internal e-resources, or may only access the Internet, as deemed appropriate by authorized ITS staff in accordance with the risks presented by the device.

7.2 Approved Operating Systems: An operating system is the software that communicates with the various pieces of hardware that make up a computer and provides a base upon which other software programs can run. All computers, tablets, and smartphones have an operating system. All College-owned computing devices shall run sanctioned, currently supported, and regularly updated operating systems. Any use of out-of-date or “legacy” operating systems that are not being actively updated to address new security concerns is prohibited without explicit authorization from the VPIT/CIO. For already deployed systems that cannot be upgraded, compensating controls must be in place.

7.3 Endpoint Management: College-owned computing devices shall be managed by ITS through an IT Device Management System – also known as a Mobile Device Management (MDM) solution – to allow full asset inventory and endpoint management to occur. Enrollment in the College MDM allows ITS to obtain remote status information, ensure baseline system configuration, monitor and manage software updates, and ingest system logs for security purposes. To provide for this management, all College-owned computing devices shall be configured with an administrative account with remote access enabled with which ITS staff may manage the device. Such accounts shall be configured with unique passwords for each endpoint such that a leaked administrative password to a single endpoint does not pose a security concern beyond that endpoint.

7.4 Endpoint Protection: All college-owned computing devices running non-sandboxed operating systems (Windows, macOS, various Linux distributions) shall be equipped with ITS-provided Endpoint Protection software and other required packages to aid in security-focused technical logging, monitoring, and analysis. College-owned devices with highly sandboxed operating systems (i.e. iOS, iPadOS, ChromeOS) – which make endpoint software largely ineffective – may receive limited access to sensitive College cloud-hosted e-resources such as email, but accessing, processing, storing, or otherwise handling PI locally on these devices is forbidden, and handling sensitive data on these devices is strongly discouraged.

7.5 Required Software Updates: Software updates and security patches must be deployed to College devices as soon as practically possible through the College’s Intune and JAMF Pro fleet management platforms. Patches are evaluated and tested by ITS prior to being deployed campus-wide whenever possible. Whenever feasible, all systems and applications should be configured to receive and install updates automatically. Out-of-date software or software that is no longer supported by a vendor is strongly discouraged. Critical security patches which address major vulnerabilities – as determined by the ISM or the VPIT/CIO – must be implemented on all compatible College devices within 30 days. If a College-owned device will use Microsoft Office, a current Microsoft-supported version of Office is required; the most up-to-date version of Office 365 provided by the College is preferred.

7.5.1 OS Update Classifications: Operating System (OS) releases are typically divided into two categories, which ITS refers to as “feature” updates and “quality” updates. Feature updates are significant updates or major upgrades in an operating system which offer new functionality, while quality updates contain fixes to software bugs or resolve exploitable security vulnerabilities. As much as possible, this distinction will drive software update management at the College; however, Apple macOS updates currently do not adhere to this categorization system, and only a portion of software vulnerabilities are addressed in previous releases of macOS. Due to this, devices running macOS may occasionally require the installation of a feature update to apply a critical security patch and – depending on the severity of the particular vulnerability being addressed – this may result in a macOS feature update being applied sooner than the predetermined schedule in section 7.5.2 would indicate. These exceptions will occur at ITS’ discretion.

7.5.2 OS Update Cadence: Software updates shall be pushed to ITS-managed devices on schedules based on device type / function as outlined below.

• Shared-use devices, primarily computing labs and classroom/podium computers, shall have feature updates deferred at least 30 days from the release date to allow ITS adequate time for compatibility and security testing, ensuring that academic functionality is not impacted. ITS may opt to defer installation for an extended period if significant issues are identified during testing. Quality updates, however, shall be applied within 10 days of release to minimize the risk of known vulnerabilities being exploited on College devices. Updates to shared campus computing devices will be scheduled for 1 a.m. on Saturdays.
• Employee computers assigned on a 1:1 basis shall have feature updates deferred for a period of 90 days to minimize potential disruptions to employee productivity. Quality updates will be deferred for three (3) days, allowing ITS a brief window to address any negative effects caused by a problematic update. After the mandatory deferral period, users will be notified by their device that a software update has been downloaded and is ready for install. Users may choose to defer that installation for seven (7) days. Following this, a grace period of 5 days will permit users further discretion in installing the update. Once the grace period concludes, the update will be automatically installed and the device restarted. While ITS recommends installing quality updates as promptly as possible, this schedule provides employees with flexibility in timing, while ensuring that College-managed devices do not become excessively outdated, which could introduce unnecessary risks to the environment.
• On-Premises Servers running a Windows Server OS are configured to automatically apply quality updates upon release and restart overnight. Due to Microsoft’s “Patch Tuesday” release schedule, servers will reboot on Wednesdays between 3-4am, when activity levels are nominal. College Linux servers utilize a Livepatch service, which enables real-time patching of critical security updates without requiring reboots. This allows the College to maintain maximum uptime while still applying necessary security patches. Feature updates are monitored, reviewed, and tested by ITS prior to implementation in the production environment. These updates are also subject to the ITS Change Management Policy for impact analysis and a thorough review of any potential information security implications to systems that house or process Covered Data protected under GLBA.

7.5.3 Application Updates: Application software, especially web browsers and productivity suite software, represent a frequently exploited target due to their prevalence and complexity. Ensuring these applications are consistently updated is essential for maintaining the security of College systems. ITS requires that web browsers, Microsoft Teams, and other Office 365 (O365) applications remain current with the latest security patches and will deploy them to managed systems promptly after their release. ITS reserves the right to remove any installations of legacy versions of these applications that are no longer supported or patched to mitigate security risks effectively.

7.6 Lock When Idle: All College-owned computing devices must be configured to lock and require a user to re-authenticate if left unattended for more than 15 minutes unless the device is used solely for classroom presentation (i.e., podium computers.) If a shared computing device in a lab remains user-locked for a period of 30 minutes, the logged-in user shall be logged out and the device made available for the next user.

7.7 Device Health Checks: All College-owned computing devices must be configured to allow ITS to obtain status information such as operating system version and patch level, fetch security-related activity logs, scan the device for potential vulnerabilities, etc. Devices which ITS deems as having failed such “health checks” shall be subject to limited or no network access, being remotely locked out, or other actions as appropriate to secure the College network environment and protect other e-resources.

7.8 Authenticate to the Enterprise Directory: All College-owned general-purpose computing devices must be configured to authenticate against the College directory so that only users with active accounts may use them. Systems not bound to the College directory (currently Azure Active Directory) should never be used to access, process, store, or otherwise handle PI or other confidential data.

7.9 Whole Disk Encryption: All College-owned computing devices which access PI or other confidential data must have their storage mechanisms (SSDs, hard drives, USB flash drives, etc.) protected with whole-disk encryption such as Bitlocker or Filevault.

7.10 Host-Based Firewall: All College-owned computing devices shall have their host-based firewall feature enabled and configured to block all inbound traffic that is not explicitly required for the intended use of the device to protect against compromised endpoints which may be introduced to the College network.

7.11 Cloud Sync Services: All College-owned computing devices are prohibited from using individual personal cloud storage accounts for syncing or backing up College data. Where cloud accounts are necessary for required functionality of an endpoint (example: Apple IDs on computers running macOS, iPads, iPhones, etc.) ITS shall provide Managed Apple IDs under the control of the College.

7.12 Compromised Devices: College-owned computing devices deemed “compromised” by threat actors, malicious software, or other threats to the College shall be disabled and removed from the College network as expediently as possible by ITS. It is the device owner’s obligation to bring any such devices being used off-campus to ITS for remediation promptly after the state of compromise is discovered.

7.13 Secure Remote Access: All College-owned mobile computing devices (e.g., laptops, tablets, and phones) which access, process, store, or otherwise handle PI or other confidential data shall be configured with an always-on Virtual Private Network (VPN) connection which shall employ an encrypted connection to the College VPN solution when off-campus. Employees are not permitted to access data classified as Sensitive at home or on their personal computers except when utilizing the College VPN. Accessing PI or other College data classified as Restricted from personal computing devices is prohibited, regardless of VPN use.

7.14 Medium-Risk Access: All College-owned computing devices which store College sensitive data or access confidential data (see definitions, section 6.1) shall meet every requirement of this policy without exceptions, and may, depending on the risk level, have additional restrictions placed on them via the College IT Device System Management tools.

7.15 High-Risk Access: All College-owned computing devices storing or serving College data classified as Restricted to other users shall be owned or managed by authorized ITS staff and shall be subject to regular configuration reviews and access auditing to ensure said data is protected and remains secured. Storing or serving data classified as Restricted on devices not owned by the College and managed by ITS is strictly prohibited.

8. ADMINISTRATIVE COMPUTER RIGHTS POLICY

8.1 Standard User Profile as Default: As of January 1, 2024, all computers issued, loaned, or otherwise provided to college personnel, including ITS staff, shall have the primary user profile configured as a "standard" user account. Technical provisions will be established to allow users to obtain temporary administrative rights under certain conditions to perform tasks necessary for their work, research, or study, as deemed appropriate by the VPIT/CIO.

9. PHYSICAL AND ENVIRONMENTAL SECURITY POLICY

Confidential data shall be stored securely. Appropriate security controls shall be used to protect College assets from unauthorized physical access and safeguard them against reasonable environmental hazards, active and passive electronic penetration, and to prevent unauthorized physical access, damage, and interference. Regular physical and environmental risk assessments should be undertaken to identify the appropriate level of protection to be implemented to secure College ITS facilities and the information stored therein. Weaknesses identified in these assessments shall be addressed by the College within a period of one year.

9.1 Secure Facilities: Access to facilities housing network and server equipment is limited to authorized ITS personnel only. Visitors must be escorted at all times. Cleaning Personnel or others on-site after normal business hours who are not authorized to access data classified as Restricted must not have access to areas where such data is stored. Periodic cleaning of such areas must take place during normal business hours when employees authorized to access Restricted data are present.

9.2 Environmental Security: Proper safeguards should be implemented to protect critical College ITS equipment and physical (paper) records containing PI and other confidential data from reasonable environmental hazards such as loss of power, fire, flood, interference, vandalism, and other threats.

9.3 Documentation and Testing: Procedures for protecting mission critical College e-resources from environmental hazards and other disruptions must be documented, updated, and tested at least annually.

9.4 Employee Training: Designated employees shall be trained to monitor environmental control procedures and equipment and shall be trained in desired response in case of emergencies or equipment problems.

10. CYBERSECURITY AWARENESS & TRAINING POLICY

10.1 Information Security Awareness Training: Lake Forest College shall provide faculty, staff, students, and appropriate third parties with information security awareness education, and expects users to complete assignments annually at a minimum. College employees shall be adequately trained to perform their information security-related duties and responsibilities in a manner consistent with related policies, procedures, legal requirements, regulations, and agreements. To this end, Lake Forest College has implemented an information security awareness program that is updated as necessary based on risks identified by the College's risk assessments and evolving threat landscape.

The College reviews information security awareness program content annually, identifies any new training requirements identified through ongoing security assessments, incident analysis, and findings from annual reviews. Post analysis, the ISM will either update existing content or select and integrate new modules as appropriate.

The College employs qualified information security personnel who manage or oversee the information security program. These personnel are expected to maintain current knowledge of emerging threats through regular, relevant training, and engage in ongoing professional development to ensure they remain informed on the latest security threats and countermeasures.

ITS collaborates with Human Resources to verify annually that employees are completing information security awareness training, are aware of their data security responsibilities and College information security policies, and obligations under the College's contract with its cybersecurity policy carrier are being met. Senior Managers and Department Heads are alerted about employees in their division who do not complete this assigned training within designated timeframes. New hires shall complete required training materials regarding information security and review the College Acceptable Use of Resources Policy and other such policies within their first 30 days. Supervisors will be expected to encourage compliance with this policy in a timely manner.

10.2 PI Data Handling Training: When deemed appropriate by the VPIT/CIO, the College shall supplement the baseline information security awareness training with role-based training commensurate with an employee’s role(s) within the institution. The College shall also provide specific training regarding the handling of restricted and sensitive data to business units which handle this data as part of their regular duties as defined by regulatory compliance requirements.

10.3 Phishing Simulations: Phishing simulation and/or educational campaigns must be provided for all members of the College community to increase awareness and educate users about the tactics and techniques used by malicious actors. Employees must be enrolled in supplemental phishing training following three failed phishing simulations within a given calendar year. Failure to take this supplemental training within 30 days of assignment may result in employee risk mitigation, up to and including network account suspension.

10.4 Promoting Security Awareness: The College may also foster additional broad-based information security awareness activities as the VPIT/CIO deems necessary through methods such as

• Websites
• Email
• Social media
• Posters on campus
• In-person or online training sessions
• Conferences or events
• New employee or student orientations
• Social engineering campaigns

11. INCIDENT RESPONSE POLICY

In addition to a comprehensive set of policies, Lake Forest College has developed an Incident Response Plan (IRP) to promptly address security incidents, particularly those affecting the confidentiality, integrity, or availability of GLBA-regulated data. The IRP defines clear objectives, response protocols, designated roles, and requirements for communication and documentation, ensuring the College can respond effectively to security events.

Despite these comprehensive policies and published guidelines for securing confidential electronic data, breaches and other types of cybersecurity incidents can still occur. At such times, it is important that the college respond as quickly and as professionally as possible. Computer theft or loss should be reported immediately to the ITS Service Desk by sending email to: servicedesk@lakeforest.edu or by calling ext. 5544 (847-735-5544).

11.1 Security Incident Handling: Steps that Lake Forest College will take in the event of a data security incident are as follows:

1. Determination of the incident nature and scope shall include:
   1. identification of the person reporting the incident (name, contact info, etc.)
   2. record of the location, timeframe, and apparent source of the incident
   3. preliminary identification of confidential data that may be at risk
   4. identify if ransomware, malware, or other type of incident has occurred
2. Reporting of a suspected or confirmed incident shall involve:
   1. Chief Information Officer (CIO)
   2. Director of Public Safety (if physical security has been compromised)
   3. President and senior officers (depending on sensitivity and scope of data involved)
   4. Legal counsel (depending on sensitivity and scope of data involved)
   5. Law enforcement (depending on the nature/scope of incident)
   6. VP of Marketing and Communications (depending on sensitivity and scope of data involved)
   7. College's cybersecurity insurance policy carrier
3. Investigation
   1. Identify potential ongoing exposure of data and take immediate steps to eliminate gaps
   2. Conduct preliminary forensic analysis (retain outside assistance as needed)
   3. Prepare inventory of data at risk
   4. Determine if exposed data was encrypted
   5. Identify security measures that were defeated (and by what means)
4. Incident Assessment
   1. Identify affected individuals at risk of identity theft or other harm
   2. Assess financial, legal, regulatory, operational, reputational and other potential institutional risks to the College
5. Incident Remediation
   1. Implement password changes and other security measures to prevent further data exposure
   2. Determine if exposed/corrupted data can be restored from backups; take appropriate steps
   3. Determine if value of exposed data can be neutralized by changing account access, ID information, or other measures
6. Incident Notification
   1. Based on regulatory requirements (e.g., Illinois Personal Information Protection Act) and other factors, Executive Response Team (in consultation with legal counsel as appropriate) determine whether notifications are required for:
      • Government agencies
      • Affected individuals
      • Lake Forest College community
      • Business partners
      • Public
      • Other
   2. If Executive Response Team determines that notifications are needed:
      • The CIO will notify the College's cybersecurity insurance policy carrier and/or their incident handling designees who will coordinate notifications to affected individuals; unless directed otherwise by law enforcement, such notifications will be made without delay.
      • The Vice President of Business and Finance and/or CIO will notify government agencies and business partners.
      • CIO and the VP of Marketing and Communications will coordinate notifications to the Lake Forest College community, the public, and others as necessary.
   3. Communications will address the following points (as needed):
      • Nature and scope of incident
      • General circumstances of the incident (e.g., stolen laptop, hacked database etc.)
      • Approximate timeline (e.g., date of discovery)
      • Steps the college has taken to investigate and assess the incident
      • Involvement of law enforcement or other third parties
      • Information about any misuse of the missing data
      • Recommended steps for affected individuals
      • Steps that the college is taking to prevent future incidents of this nature

11.2 Incident Classification: The Lake Forest College method for classifying the severity of a cyber incident shall be as follows:

• Major Incidents
  • impact the majority of our community (i.e., everyone), and
  • prevent the College from being able to conduct normal operations for more than 24 hours, and
  • may have a major impact to the reputation of the institution.
• Significant Incidents
  • impact a significant portion of our community (ie. teaching/learning),
  • can have a significant impact on the College’s ability to be able to conduct normal operations, and
  • may have a significant impact to the reputation of the institution.
• Minor Incidents
  • impact a small portion of our community (ie. a department or small group),
  • can have a minor impact on the College’s ability to be able to conduct normal operations, and
  • may have a minor impact to the reputation of the institution.
• Isolated Incidents
  • impact a single community member,
  • have little or no impact on the College’s ability to be able to conduct normal operations, and
  • do not impact the reputation of the institution.

11.3 Incident Handling Procedures: Information Security Incidents shall be handled based on their severity as follows:

• The response to isolated and minor information technology incidents will be managed by ITS, with notifications to the VPIT/CIO (and also to the ISM for any information security incidents.)
• The response to significant information technology incidents will be managed by ITS, with direction from the VPIT/CIO, the Executive Response Team (ERT), and the ISM. Executive Leadership Team shall be kept informed.
• In the event of a major information technology incident, the VPIT/CIO or ISM will activate the Lake Forest College Incident Response (IR) Team, who shall collectively be responsible (in collaboration with the ERT) for:
  • Facilitating communication,
  • Formulating and enacting a mitigation plan, and
  • The resolution of the incident.

The IR Team will have representatives from ITS, Human Resources, Campus Life, Academic Affairs, the Finance Office, and Public Safety. Depending on the nature of the incident, not all members may be required to be involved. Representatives from other areas may be called upon to join the IR Team, if needed.

This policy does not preclude ITS from taking prompt action to mitigate a known technology risk while a longer-term resolution is being developed. During any information security incident, ITS has the authority to access any relevant institution-owned system and to remove any system or user account from the network to protect the College and its community from damage or harm.

All incidents involving GLBA-regulated data shall be documented with comprehensive details, including response actions, containment efforts, root cause analysis, and lessons learned. This documentation supports compliance, enhances ongoing security assessment, and informs updates to the Incident Response Plan (IRP) following each significant security event, ensuring the IRP remains aligned with evolving risks and regulatory requirements.

11.4 Disaster Recovery & Business Continuity Plans: The College shall have Disaster Recovery and Business Continuity Plans, which shall be annually reviewed and updated as deemed appropriate by the Executive Leadership Team.

11.5 Tabletop Exercises: Information Technology Services shall conduct Tabletop Exercises to test the effectiveness of incident response, disaster recovery, and business continuity plans with the College’s Incident Response team on an annual basis.